==== The trap of 'StartsWith' and equivalents

When validating untrusted URLs by checking if they start with a trusted scheme
and authority pair `scheme://authority`, **ensure that the validation string
contains a path separator `/` as the last character**. +

If the validation string does not contain a terminating path separator, the
SSRF vulnerability remains; only the exploitation technique changes.

Thus, a validation like `startsWith("https://example.com")` or an equivalent
with the regex `^https://example\.com.*` can be exploited with the following
URL `\https://example.commit.malicious.io`.